Fang-Yu Rao has uploaded this change for review. ( http://gerrit.cloudera.org:8080/18113
Change subject: IMPALA-10436: Require lower privilege for external Kudu table creation ...................................................................... IMPALA-10436: Require lower privilege for external Kudu table creation This patch lowers the privilege requirement for external Kudu table creation. Before this patch, a user was required to have the ALL privilege on SERVER if the user wanted to create an external Kudu table. In this patch we introduce a new type of resources called storage handler URI and a new access type called RWSTORAGE that are recently supported by Ranger. Specifically, after this patch, a user will be allowed to create an external Kudu table as long as the user is granted the RWSTORAGE privilege on the resource specified by a storage handler URI that points to the existing Kudu table. For instance, in order for a user 'non_owner' to create an external Kudu table based on an existing Kudu table 'impala::tpch_kudu.nation', it suffices to execute the following command as an administrator to grant the necessary privilege to the requesting user, where "localhost" is the default address of Kudu master host assuming there is only one single master host in this example. GRANT RWSTORAGE ON STORAGEHANDLER_URI 'kudu://localhost/impala::tpch_kudu.nation' TO USER non_owner One may be wondering why we do not simply cancel the privilege check that required the ALL privilege on SERVER for external Kudu table creation. One scenario in which such a relaxation is not secure is when the owner or the creator of the existing Kudu table is different from the requesting user who wants to create an external Kudu table in Impala. Not requiring any additional privilege check would allow a user without any privilege to retrieve the contents of the existing Kudu table. On the other hand, after this patch we still require a user to have the ALL privilege on SERVER when the table property of 'kudu.master_addresses' is specified in a query that tries to create a Kudu table whether or not the table is external. We do not relax such a requirement in that specifying the addresses of Kudu master hosts to connect should still be considered as an administrative operation. Testing: - Added various FE and E2E tests to verify Impala's behavior after this patch with respect to external Kudu table creation. - Verified that this patch passes the core tests on the DEBUG build. Change-Id: I8e2312f85e3a3b0a081d2f935fcf5edd020bd928 --- M common/thrift/CatalogObjects.thrift M fe/src/main/cup/sql-parser.cup M fe/src/main/java/org/apache/impala/analysis/CreateTableStmt.java M fe/src/main/java/org/apache/impala/analysis/PrivilegeSpec.java M fe/src/main/java/org/apache/impala/analysis/ShowGrantPrincipalStmt.java A fe/src/main/java/org/apache/impala/analysis/StorageHandlerUri.java M fe/src/main/java/org/apache/impala/authorization/Authorizable.java M fe/src/main/java/org/apache/impala/authorization/AuthorizableFactory.java A fe/src/main/java/org/apache/impala/authorization/AuthorizableStorageHandlerUri.java M fe/src/main/java/org/apache/impala/authorization/DefaultAuthorizableFactory.java M fe/src/main/java/org/apache/impala/authorization/Privilege.java M fe/src/main/java/org/apache/impala/authorization/PrivilegeRequestBuilder.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerAuthorizationChecker.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpalaResourceBuilder.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerImpaladAuthorizationManager.java M fe/src/main/java/org/apache/impala/authorization/ranger/RangerUtil.java M fe/src/main/jflex/sql-scanner.flex M fe/src/test/java/org/apache/impala/analysis/AnalyzeAuthStmtsTest.java M fe/src/test/java/org/apache/impala/analysis/ToSqlTest.java M fe/src/test/java/org/apache/impala/authorization/AuthorizationStmtTest.java M fe/src/test/java/org/apache/impala/authorization/AuthorizationTestBase.java M fe/src/test/java/org/apache/impala/authorization/ranger/RangerAuditLogTest.java M testdata/workloads/functional-query/queries/QueryTest/grant_revoke.test M tests/authorization/test_ranger.py 25 files changed, 695 insertions(+), 229 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/13/18113/1 -- To view, visit http://gerrit.cloudera.org:8080/18113 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I8e2312f85e3a3b0a081d2f935fcf5edd020bd928 Gerrit-Change-Number: 18113 Gerrit-PatchSet: 1 Gerrit-Owner: Fang-Yu Rao <[email protected]>
